ASA-2019-00325 – Twisted: CRLF injections in HTTP client APIs

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00325

Identifier(s)

ASA-2019-00325, CVE-2019-12387

Title

CRLF injections in HTTP client APIs

Vendor(s)

Twisted Matrix Laboratories

Product(s)

Twisted

Affected version(s)

Twisted versions before 19.2.1

Fixed version(s)

Twisted 19.2.1

Proof of concept

Unknown

Description

Twisted’s HTTP client APIs were vulnerable to maliciously constructed HTTP methods, hosts, and/or paths, URI components such as paths and query parameters.

Technical details

Unknown

Credits

Alex Brasetvik

Reference(s)

Twisted 19.2.1 Released
https://labs.twistedmatrix.com/2019/06/twisted-1921-released.html

[Twisted-Python] [SECURITY] Twisted 19.2.1 Release Announcement
https://twistedmatrix.com/pipermail/twisted-python/2019-June/032352.html

Prevent CRLF injections described in CVE-2019-12387
https://github.com/twisted/twisted/commit/6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2

CVE-2019-12387
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12387

CVE-2019-12387
https://nvd.nist.gov/vuln/detail/CVE-2019-12387

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: June 10, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.